Merge pull request #792 from stackhpc/upstream/2025.1-2025-09-15

priteau · web-flow · commit 612a5b7008e3 · 2025-09-15T09:16:26.000+02:00
Synchronise 2025.1 with upstream
diff --git a/ansible/roles/nova-cell/tasks/deploy.yml b/ansible/roles/nova-cell/tasks/deploy.yml
@@ -2,6 +2,8 @@
 - include_tasks: clone.yml
   when: nova_dev_mode | bool
 
+- import_tasks: version-check.yml
+
 - import_tasks: config-host.yml
 
 - import_tasks: config.yml
diff --git a/ansible/roles/nova-cell/tasks/upgrade.yml b/ansible/roles/nova-cell/tasks/upgrade.yml
@@ -1,4 +1,6 @@
 ---
+- import_tasks: version-check.yml
+
 - name: Stopping nova cell services
   become: true
   kolla_container:
diff --git a/ansible/roles/nova-cell/tasks/version-check.yml b/ansible/roles/nova-cell/tasks/version-check.yml
@@ -0,0 +1,88 @@
+---
+- block:
+    - name: Get new Libvirt version
+      become: true
+      kolla_container:
+        action: "start_container"
+        command: "libvirtd --version"
+        common_options: "{{ docker_common_options }}"
+        container_engine: "{{ kolla_container_engine }}"
+        detach: false
+        environment:
+          KOLLA_CONFIG_STRATEGY: "{{ config_strategy }}"
+        image: "{{ service.image }}"
+        name: "libvirt_version_check"
+        restart_policy: oneshot
+        remove_on_exit: true
+      register: libvirt_version_new
+      failed_when: false
+      check_mode: false
+      run_once: true
+      delegate_to: "{{ groups[service.group] | first }}"
+
+    - name: Cache new Libvirt version
+      set_fact:
+        libvirt_new_version: "{{ libvirt_version_new.stdout | regex_search('[0-9]+\\.[0-9]+\\.[0-9]+') }}"
+      run_once: true
+      delegate_facts: true
+      delegate_to: "{{ groups[service.group] | first }}"
+
+    - name: Get nova_libvirt image info
+      include_role:
+        name: service-image-info
+      run_once: true
+
+    - name: Get container facts
+      become: true
+      kolla_container_facts:
+        action: get_containers
+        container_engine: "{{ kolla_container_engine }}"
+        name:
+          - "{{ service.container_name }}"
+      register: container_facts_per_host
+      run_once: true
+      delegate_to: "{{ item }}"
+      loop: "{{ groups[service.group] }}"
+      loop_control:
+        label: "{{ item }}"
+
+    - name: Get current Libvirt version
+      become: true
+      command: "{{ kolla_container_engine }} exec {{ service.container_name }} libvirtd --version"
+      register: libvirt_version_current_results
+      changed_when: false
+      run_once: true
+      delegate_to: "{{ item.item }}"
+      loop: "{{ container_facts_per_host.results }}"
+      loop_control:
+        label: "{{ item.item }}"
+      when:
+        - item.containers[service.container_name] is defined
+        - item.containers[service.container_name].State.Running
+        - (hostvars[groups[service.group] | first].service_image_info.images | default([]) | length) > 0
+        - item.containers[service.container_name].Image
+          != hostvars[groups[service.group] | first].service_image_info.images[0].Id
+
+    - name: Check that the new Libvirt version is >= current
+      vars:
+        current_version: "{{ item.stdout | regex_search('[0-9]+\\.[0-9]+\\.[0-9]+') }}"
+        new_version: "{{ hostvars[groups[service.group] | first].libvirt_new_version }}"
+      assert:
+        that: "{{ new_version is version(current_version, '>=', strict=true) }}"
+        fail_msg: >
+          It looks like you're about to downgrade Libvirt in the nova_libvirt container from
+          version {{ current_version }} to version {{ new_version }}. If you're absolutely certain
+          that you want to do this, please skip the tag `nova-libvirt-version-check`.
+        success_msg: >
+          Libvirt version check successful: target {{ new_version }} >= current {{ current_version }}.
+      run_once: true
+      loop: "{{ libvirt_version_current_results.results }}"
+      loop_control:
+        label: "{{ item.item }}"
+      when: item.stdout is defined
+
+  tags: nova-libvirt-version-check
+  when: enable_nova_libvirt_container | bool and (groups[service.group] | length) > 0
+  vars:
+    service_name: "nova-libvirt"
+    service: "{{ nova_cell_services[service_name] }}"
diff --git a/ansible/roles/service-image-info/defaults/main.yml b/ansible/roles/service-image-info/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+# Host to delegate task execution to.
+service_image_info_delegate_host: "{{ groups[service.group] | first }}"
diff --git a/ansible/roles/service-image-info/tasks/main.yml b/ansible/roles/service-image-info/tasks/main.yml
@@ -0,0 +1,26 @@
+---
+- name: Get target image info (docker)
+  block:
+    - community.docker.docker_image_info:
+        name: "{{ service.image }}"
+      register: docker_image_info
+
+    - set_fact:
+        service_image_info: "{{ docker_image_info }}"
+      delegate_facts: true
+  become: true
+  delegate_to: "{{ service_image_info_delegate_host }}"
+  when: kolla_container_engine == 'docker'
+
+- name: Get target image info (podman)
+  block:
+    - containers.podman.podman_image_info:
+        name: "{{ service.image }}"
+      register: podman_image_info
+
+    - set_fact:
+        service_image_info: "{{ podman_image_info }}"
+      delegate_facts: true
+  become: true
+  delegate_to: "{{ service_image_info_delegate_host }}"
+  when: kolla_container_engine == 'podman'
diff --git a/ansible/site.yml b/ansible/site.yml
@@ -331,6 +331,10 @@
     - letsencrypt
     - '&enable_letsencrypt_True'
   serial: '{{ kolla_serial|default("0") }}'
+  max_fail_percentage: >-
+    {{ letsencrypt_max_fail_percentage |
+       default(kolla_max_fail_percentage) |
+       default(100) }}
   roles:
     - { role: letsencrypt,
         tags: letsencrypt }
diff --git a/releasenotes/notes/libvirt-catch-downgrade-d297347d745211f0.yaml b/releasenotes/notes/libvirt-catch-downgrade-d297347d745211f0.yaml
@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    Prevents accidental ``libvirt`` downgrades in ``nova_libvirt`` container
+    image during deploy and upgrade. Adds a ``nova_libvirt`` version check that
+    resolves the target image digest once on the first compute host
+    and runs only on hypervisors where the running container digest differs
+    from the target.
diff --git a/zuul.d/nodesets.yaml b/zuul.d/nodesets.yaml
@@ -6,10 +6,10 @@
         label: centos-9-stream
 
 - nodeset:
-    name: kolla-ansible-debian-bookworm
+    name: kolla-ansible-debian-bookworm-8GB
     nodes:
       - name: primary
-        label: debian-bookworm
+        label: debian-bookworm-8GB
 
 - nodeset:
     name: kolla-ansible-debian-bookworm-16GB
@@ -18,10 +18,10 @@
         label: debian-bookworm-16GB
 
 - nodeset:
-    name: kolla-ansible-debian-bookworm-aarch64
+    name: kolla-ansible-debian-bookworm-aarch64-8GB
     nodes:
       - name: primary
-        label: debian-bookworm-arm64
+        label: debian-bookworm-arm64-8GB
 
 - nodeset:
     name: kolla-ansible-ubuntu-noble-8GB
@@ -55,16 +55,6 @@
       - name: secondary2
         label: debian-bookworm-16GB
 
-- nodeset:
-    name: kolla-ansible-debian-bookworm-multi-16GB
-    nodes:
-      - name: primary
-        label: debian-bookworm-16GB
-      - name: secondary1
-        label: debian-bookworm-16GB
-      - name: secondary2
-        label: debian-bookworm-16GB
-
 - nodeset:
     name: kolla-ansible-rocky9
     nodes:

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+---`
	`2`	`+# Host to delegate task execution to.`
	`3`	`+service_image_info_delegate_host: "{{ groups[service.group] \| first }}"`